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Introduction 


Report  Summary 


This  is  an  electronic  data  processing  audit  of  general  and  application 
controls  over  the  Combined  Oil  and  Gas  System  (COGS)  at  the 
Depanmem  of  Revenue.  The  audit  reviewed  input,  processing,  and 
output  controls  over  data  processed  through  COGS.   In  addition,  the 
audit  reviewed  general  controls  over  electronic  access,  physical 
security,  and  system  development. 


The  introduction,  background  information,  and  audit  objectives  are 
discussed  in  Chapter  I.   Further  detail  for  the  audit  issues 
summarized  below  is  included  in  Chapters  II  and  III  of  the  repon. 


General  Controls 


We  limited  our  review  of  general  controls  because  COGS  processes 
on  a  personal  computer  rather  than  the  depanment's  mid-level 
computer  envirorunent.   We  evaluated  the  department's  physical 
security,  electronic  access,  and  system  development  controls. 
General  controls  over  COGS  are  adequate  except  for  the  electronic 
access  and  system  development  issues. 


Electronic  Access  Controls 


Electronic  access  privileges  allow  users  to  view,  change,  or  delete 
application  data.  The  audit  reviewed  access  privileges  given  to  nine 
department  employees.  We  found  unnecessary  employee  access  to 
COGS  programs  and  data,  maintenance  tables,  and  tolerance  edits. 


Industry  guidelines  suggest  management  restrict  employee  access  to 
production  programs  and  data  according  to  job  duties.  If  restricted 
to  job  duties,  access  controls  could  reduce  the  risk  of  unauthorized 
intentional  or  unintentional  changes  to  COGS.  Programmer  access 
should  be  restricted  to  test  programs  and  files  or,  at  a  minimum,  the 
access  should  be  logged  and  monitored.   Employee  access  to 
maintenance  tables  and  tolerance  edits  is  not  necessary  based  on  the 
employees'  job  duties. 
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System  Documentation 


The  department's  system  development  policy  defines  procedures  to 
be  followed  by  programmers  when  developing  computer  systems. 
For  example,  the  policy  requires  that  design  specifications  and  the 
system  user's  manual  be  documented.  The  audit  found  the 
department  has  not  documented  a  COGS  user  manual  or  updated 
system  documentation.  For  example,  the  original  program 
specification  report  is  outdated  and  does  not  define  current 
processing  operations. 


Documentation  provides  a  source  of  information  for  system  users 
and  programmers  who  are  responsible  for  maintaining  existing 
systems.  Without  current  documentation,  the  department  is  at  risk 
for  maintaining  COGS  if  experienced  programming  personnel 
terminate  their  employment. 


Application  Controls 


COGS  is  an  application  maintained  on  the  department's  personal 
computer  network  and  is  used  by  employees  in  the  Natural  Resource 
and  Corporation  Tax  Division.  We  reviewed  application  controls 
over  COGS  to  determine  if  data  processing  results  are  accurate  and 
reliable.  Application  controls  over  COGS  ensure  accurate 
processing  and  distribution  of  quarterly  oil  and  gas  tax  collections. 


Oil  and  Natural  Gas 
Tax  Distributions 


Approximately  350  oil  and  natural  gas  operators  file  quarterly  tax 
returns  with  the  department.  Annual  tax  collections  exceed 
$40  million,  with  80  percent  of  collections  from  oil  taxes,  and 
20  percent  from  gas  taxes.  Depending  on  production,  65  percent  of 
total  collections  are  distributed  to  local  governments  each  quarter. 
COGS  processes  oil  and  natural  gas  tax  returns,  identifies  errors  in 
the  returns,  and  maintains  well,  operator,  lease  and  tax  return  data. 


For  distribution  purposes,  the  department  determines  the  amount  of 
oil  and  natural  gas  taxes  from  the  different  types  of  wells  located  in 
each  levy  district.  The  taxes  are  distributed  to  the  state  and  county 
treasurers  based  on  percentages  established  in  section  15-36-324, 
MCA. 
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Distribution  Adjustments  The  audit  found  that  COGS  processes  tax  distributions  according  to 

state  law.   However,  in  situations  where  the  tax  liability  did  not 
equal  the  tax  paid,  COGS  distributed  the  adjustment  to  oil 
production  first  and  then  applied  the  remainder,  if  any,  to  gas 
production.   Subsequent  payments  for  the  remaining  tax  due  were 
also  allocated  to  oil  production.   As  a  result,  gas  production  taxes 
were  distributed  according  to  oil  distribution  percentages  outlined  in 
state  law. 

This  condition  is  limited  to  combined  oil  and  gas  tax  return 
adjustments  processed  through  COGS  during  the  three  quarters 
ending  June  30,  1997.  The  depanmem  has  modified  COGS 
processing  logic  to  distribute  adjustments  according  to  the  applicable 
tax  formulas,  but  still  needs  to  evaluate  and  correct  prior 
distributions. 
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Introduction  and  System  Th's  's  an  electronic  data  processing  audit  of  general  and  application 

Background  controls  over  the  Combined  Oil  and  Gas  System  (COGS)  at  the 

Depanment  of  Revenue.  The  audit  reviewed  input,  processing,  and 
output  controls  over  data  processed  through  COGS.   In  addition,  the 
audit  reviewed  general  controls  over  electronic  access,  physical 
security,  and  system  development. 

The  department's  Natural  Resource  and  Corporation  Tax  Division 
uses  COGS  to  administer  production  taxes  on  oil  and  natural  gas. 
The  division  collects  and  distributes  approximately  $40  million  of  oil 
and  natural  gas  tax  revenue  annually.  Section  15-36-324,  MCA, 
provides  for  a  single  production  tax  based  on  the  type  of  well  and 
amount  of  production.   Begirming  with  the  first  quaner  of  1996, 
COGS  was  implemented  to  process  oil  and  gas  tax  returns  and  to 
calculate  the  tax  distributions  to  state  and  local  governments. 

The  division  distributes  oil  and  natural  gas  tax  revenues  to  the 
various  counties  having  oil  and  gas  production,  including  the  interest 
and  penalty  for  late  payment,  and  interest  earned  by  the  state  from 
temporary  investment  of  the  money.  The  quanerly  distribution  is 
based  on  a  statutory  formula.  The  primary  objective  of  COGS  is  to 
provide  the  functions  required  for  oil  and  natural  gas  production 
taxation,  distribution  and  reponing.   Other  system  objectives  are  to 
increase  the  accuracy  and  reliability  of  tax  return  information,  and  to 
provide  better  management  and  statistical  information. 

The  depanment  is  evaluating  the  replacement  of  its  existing 
computer  systems,  including  COGS,  with  a  single  integrated  tax 
system.  Recommendations  included  in  this  repon  address  changes  to 
existing  department  procedures  and  system  processing  functions.  To 
implement  the  recommendations,  we  recognize  the  depanment  must 
modify  the  existing  system  or  develop  solutions  within  a  replacement 
system. 
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Organization  of  Report 


General  and  Application 
Controls 


The  report  is  organized  into  three  chapters.  Chapter  I  provides  an 
introduction,  background  information,  and  audit  objectives. 
Chapter  II  includes  the  review  of  genera!  controls  applicable  to  the 
data  processing  environment.  Chapter  III  discusses  the  review  of 
application  controls  and  audit  issues  pertaining  to  the  COGS  data 
processing  function. 

EDP  controls  provide  assurance  over  the  accuracy,  reliability,  and 
integrity  of  the  information  processed.   General  controls  apply  to  the 
environment  in  which  applications  process  data.   Application 
controls  are  specific  to  a  given  application  or  set  of  programs  that 
accomplish  a  specific  function. 


An  application  must  operate  within  the  general  control  environment 
in  order  for  reliance  to  be  placed  on  overall  processing  results. 
COGS  operates  on  a  personal  computer  platform  that  is  maintained 
on  the  department's  network.  We  evaluated  application  controls  and 
general  controls  specific  to  the  COGS  operating  environment. 


Audit  Objectives 


The  objectives  of  this  audit  were  to  evaluate,  conclude,  and  report 
on  the: 


1.    Application  controls  over  data  processed  by  COGS.  The  audit 
evaluated  data  input  controls;  primary  processing  functions, 
including  the  processing  of  natural  gas  and  oil  tax  returns  and 
the  calculation  of  tax  distributions;  and  the  reliability  of  system 
output.  Compliance  with  department  policy  and  state  law  was 
also  evaluated. 


Audit  Scope  and 
Methodology 


2.    General  controls  specific  to  the  COGS  data  processing 

environment,  including  physical  security,  electronic  access,  and 
system  development  controls. 

The  audit  was  conducted  in  accordance  with  generally  accepted 
government  auditing  standards  (GAGAS).   We  compared  the  depart- 
ment's general  and  application  controls  against  criteria  established 
by  the  American  Institute  of  Certified  Public  Accountants  (AICPA), 
United  States  General  Accounting  Office  (GAO),  and  the  electronic 
data  processing  (EDP)  industry. 
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This  audit  evaluated  general  controls  implemented  by  the  department 
over  COGS  in  selected  areas.   We  reviewed  physical  security 
controls  for  backup  procedures  of  COGS  data  and  evaluated  the 
department's  procedures  for  recovery  from  a  system  failure.   We 
evaluated  access  to  data  files  and  programs  to  ensure  access  is 
limited  to  those  authorized  to  process  or  maintain  COGS.  We  also 
reviewed  development  procedures,  user  involvement,  and 
documentation  of  the  COGS  system  to  determine  if  department 
policy  was  followed. 

The  audit  reviewed  the  department's  application  controls  over 
COGS.  We  evaluated  policies  and  procedures  in  relation  to  input, 
processing,  and  output  controls.   For  example,  we  reviewed  data 
entry  procedures,  compared  hard  copy  tax  returns  to  data  recorded 
in  COGS,  and  evaluated  processing  results. 

Compliance  ^^  a\id\t  reviewed  application  processing  for  compliance  with 

department  policy  and  state  law.   We  also  verified  the  tax  rates  and 
distribution  percentages  used  on  COGS  for  the  different  types  of  gas 
and  oil  production  agreed  with  section  15-36-324,  MCA.   For 
example,  we  reviewed  COGS  processing  activities  to  ensure  the 
distribution  of  taxes  from  Post-1985  oil  wells  was  split  properly 
between  state  and  local  government.  The  audit  also  evaluated 
system  development  controls  for  compliance  with  department  policy. 
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Introduction 


We  limited  our  review  of  general  controls  because  COGS  processes 
on  a  personal  computer  rather  than  the  department's  mid-level 
computer  environment.   We  evaluated  the  department's  physical 
security,  electronic  access,  and  system  development  controls. 


General  Controls 
Conclusion 


General  controls  over  COGS  are  adequate  except  for  the  electronic 
access  and  system  development  issues.   The  electronic  access  issues 
discussed  below  increase  the  risk  of  unauthorized  changes  to  COGS 
programs  and  data.   In  addition,  system  documentation  over  COGS 
could  be  improved.  The  following  sections  provide  recommen- 
dations where  the  department  can  improve  general  controls. 


Electronic  Access 
Controls 


Electronic  access  privileges  allow  users  to  view,  change,  or  delete 
application  data.  The  audit  reviewed  access  privileges  given  to  nine 
depanment  employees.   Electronic  access  is  not  restricted  according 
to  employee  job  duties.   As  outlined  below,  we  found  unnecessary 
employee  access  to  COGS  programs  and  data,  maintenance  tables, 
and  tolerance  edits. 

—  Two  employees  no  longer  use  COGS  and  do  not  require  access. 

--    Three  employees  who  are  responsible  for  programming  and 
system  suppon  have  unlogged  access  to  all  COGS  application 
programs  and  data.  Unlogged  access  increases  the  risk,  of 
unauthorized  changes  to  production  programs  and  data  without 
detection. 

—  All  nine  employees  have  access  to  COGS  maintenance  tables. 
Inappropriate  access  increases  the  risk  of  unauthorized  changes 
to  maintenance  table  values  used  to  process  calculations,  such  as 
fixed  unit  values  for  Pre-85  wells,  tax  rates  and  distribution  rates 
set  by  state  law. 

~    All  nine  employees  have  the  ability  to  change  tolerance  levels. 
Tolerance  levels  allow  processing  to  continue  when  minimal 
differences  are  detected  by  the  system.   Using  the  access 
privilege,  tolerance  amounts  could  be  increased  to  allow  large 
differences  to  process  without  warning. 
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Industry  guidelines  suggest  management  restrict  employee  access  to 
production  programs  and  data  according  to  job  duties.   If  restricted 
to  job  duties,  access  controls  could  reduce  the  risk  of  unauthorized 
intentional  or  unintentional  changes  to  COGS. 

Programmer  access  should  be  restricted  to  test  programs  and  files,  or 
at  a  minimum  the  access  should  be  logged  and  monitored.   Employee 
access  to  maintenance  tables  and  tolerance  edits  is  not  necessary 
based  on  the  employee's  job  duties. 

The  department  noted  the  access  security  software  does  not  have  the 
ability  to  completely  restrict  user  access  according  to  specific  job 
functions.  By  removing  unnecessary  employee  access  and  restricting 
access  where  possible,  the  department  could  improve  controls  over 
COGS  data  processing  activities. 

Recommendation  #1 

We  recommend  the  department: 

A.  Remove  employee  access  to  COGS  where  no  longer  needed. 

B.  Restrict  or  log  and  monitor  programmer  access  to  produc- 
tion programs  and  data. 

C.  Restrict  employee  access  to  maintenance  tables  and 
tolerance  levels. 


System  Documentation  ^^  department's  system  development  policy  defines  procedures  to 

be  followed  by  programmers  when  developing  computer  systems. 
For  example,  the  policy  requires  that  design  specifications  and  the 
system  user's  manual  be  documented.  The  audit  found  the 
department  has  not  developed  a  COGS  user  manual  or  updated 
system  documentation.  For  example,  the  original  program 
specification  repon  is  outdated  and  does  not  define  current 
processing  operations. 

Documentation  provides  a  source  of  information  for  system  users 
and  programmers  who  are  responsible  for  maintaining  existing 
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systems.   Without  current  documentation,  the  department  is  at  risk 
for  maintaining  COGS  if  experienced  programming  personnel 
terminate  their  employment.   Depanment  personnel  indicated  that  a 
shortage  of  programming  resources  and  a  limited  development  time 
frame  caused  incomplete  documentation. 

The  department  is  evaluating  its  depanment-wide  data  processing 
functions  and  intends  to  replace  COGS  with  newer  technology.  On 
future  development  projects,  the  department  should  ensure  in-house 
development  projects  include  complete  documentation  according  to 
department  policy. 

Recommendation  #2 

We  recommend  the  department  complete  documentation  for 

system  development  projects  according  to  department  policy. 
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COGS  is  an  application  maintained  i)n  the  depanment's  personal 
computer  network  and  is  used  by  employees  in  the  Natural  Resource 
and  Corporation  Tax  Division.  We  reviewed  application  controls 
over  COGS  to  determine  if  data  processing  results  are  accurate  and 
reliable. 


Application  Controls 
Conclusion 


Application  controls  over  COGS  ensure  accurate  processing  and 
distribution  of  quarterly  oil  and  gas  tax  collections.   This  chapter 
includes  one  audit  issue  pertaining  to  the  distribution  methodology 
over  tax  return  adjustments,  as  discussed  on  page  1 1 . 


Oil  and  Natural  Gas 
Tax  Distributions 


Approximately  350  oil  and  natural  gas  operators  file  quanerly  tax 
returns  with  the  depanment.   Annual  tax  collections  exceed 
$40  million,  with  80  percent  of  collections  from  oil  taxes,  and 
20  percent  from  gas  taxes.  Depending  on  production,  65  percent  of 
total  collections  are  distributed  to  local  governments  each  quaner. 


COGS  calculates  the  quarterly  tax  distributions  to  state  and  local 
governments  based  on  the  type  of  wells  and  amount  of  production. 
COGS  processes  oil  and  natural  gas  tax  returns,  identifies  errors  in 
the  returns,  and  maintains  well,  operator,  lease  and  tax  return  data. 
Tax  receipts  are  recorded  on  the  financial  records  upon  collection. 
The  total  revenue  collected  is  reconciled  with  COGS  to  ensure  the 
department  only  distributes  what  is  collected. 

For  distribution  purposes,  the  department  determines  the  amount  of 
oil  and  natural  gas  taxes  from  the  different  types  of  wells  located  in 
each  levy  district.  The  taxes  are  distributed  to  the  state  and  county 
treasurers  based  on  percentages  established  in  section  15-36-324, 
MCA.  Table  1  shows  the  percentages  used  based  on  the  type  of 
production. 
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Table  1 

State  and  Local  Distributi 

on  Percentages 

Local 

State 

Type  of 

Govt. 

Govt. 

Production 

Share 

Share 

Oil  Production 

Working  Interest 

Stripper:  Pre-1985  and  Post-1985 

Wells,  first  3  barrels 

86.20% 

13.80% 

Post-1985  Wells  (qualifying  production) 

First  12  months  of  production 

0% 

100.00% 

After  first  12  months,  but  less  than 

24  months 

89.75% 

10.25% 

Horizontally  Drilled 

Newly  Drilled 

First  18  months  of  production 

0% 

100.00% 

After  18  months,  but  less  than  24 

months 

89.75% 

10.25% 

Recompleted 

First  18  months 

0% 

100.00% 

All  Other  Oil  Production 

Working  and  Royalty  Interests 

60.70% 

39.30% 

Gas  Production 

Post- 1985  Wells  (quahfying  production) 

First  12  months  of  production 

0% 

100.00% 

After  first  12  months,  but  less  than 

24  months 

93.75% 

6.25% 

All  Other  Gas  Production 

Working  and  Royalty  Interests 

86.00% 

14.00% 

Source:  Compiled  by  the  Legislative  Audit  Division  from 

Depailment  of 

Revenue  distribution  percentages  set  in  section  15-36-324, 

MCA. 
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Chapter  III  -  Application  Controls 


Distribution  Adjustments  The  department  receives  over  350  tax  returns  reporting  production 

from  approximately  5,000  oil  and  natural  gas  leases  each  quarter. 
Quarterly  tax  collections  exceed  $9  million.   State  law  requires  the 
department  to  distribute  the  taxes  according  to  the  percentages 
outlined  in  table  1  on  page  10.   Each  local  government  is  entitled  to 
its  share  of  the  distribution  according  to  actual  oil  and  natural  gas 
production  within  the  county.   Once  distributed  to  local 
governments,  county  treasurers  allocate  the  funds  to  the  individual 
levy  districts  where  actual  production  occurred,  as  reponed  by 
COGS  according  to  the  distribution  formula. 

The  audit  found  that  COGS  processes  tax  distributions  according  to 
state  law.  However,  in  situations  where  the  tax  liability  did  not 
equal  the  tax  paid,  COGS  distributed  the  adjustment  to  oil 
production  first  and  then  applied  the  remainder,  if  any,  to  gas 
production.   Subsequent  payments  for  the  remaining  tax  due  were 
also  allocated  to  oil  production.   As  a  result,  gas  production  taxes 
were  distributed  according  to  oil  distribution  percentages  outlined  in 
state  law.  For  example,  a  tax  return  adjustment  we  reviewed 
underpaid  one  levy  district  $1,325  and  overpaid  the  state  $1,263. 

This  condition  is  limited  to  combined  oil  and  gas  tax  return 
adjustments  processed  through  COGS  during  the  three  quaners 
ending  June  30,  1997.  The  depanmem  has  modified  COGS 
processing  logic  to  distribute  adjustments  according  to  the  applicable 
tax  formulas,  but  still  needs  to  evaluate  and  correct  prior 
distributions.  The  department  is  in  the  process  of  implementing  a 
system  enhancement  that  will  allow  them  to  identify  the  incorrect 
adjustments.  Since  completing  our  fieldwork,  the  department  has 
determined  fewer  than  sixty-three  combined  oil  and  gas  returns 
require  correction. 

Recommendation  §2> 

We  recommend  the  department  evaluate  and  correct  adjustment 
distribution  errors  on  combined  oil  and  gas  tax  returns  processed 
through  COGS  during  the  three  quarters  ending  June  30,  1997. 
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Agency  Response 
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Director's  Office 

Sam  W.  Mitchell  Building 


Montana  Department  of 

REVENUE 


p.  0. Box  202701 
Helena,  Montana  59620-2701 


May  29,  1998 


Mr.  Scott  A.  Seacat,  Legislative  Auditor 
Legislative  Audit  Division 
Room  135   State  Capitol 
PO  Box  201705 
Helena,  MT  59620-1705 


b   \£ 
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Dear  Scott: 

The  Department  of  Revenue  responses  to  the  1998  Combined  Oil  and  Gas  System 
("COGS")  Audit  Report  recommendations  are  as  follows: 

Recommendation  #1.  We  recommend  the  department: 

A.  Remove  employee  access  to  COGS  where  no  longer  needed. 

B.  Restrict  or  log   and   monitor  programmer  access   to   production 
programs  and  data. 

C.  Restrict  employee  access  to  maintenance  tables  and  tolerance  levels. 

Concur.  The  audit  pointed  out  several  people  had  access  to  COGS  who  no  longer  had 
a  business  requirement  to  be  active  COGS  users.  Working  with  the  user  management 
we  reduced  the  number  of  authorized  users  from  nine  to  four,  including  the  Information 
Technology  support  person.  As  also  indicated  in  the  audit,  the  system  software  does 
not  provide  us  the  ability  to  fully  restrict  or  log  and  monitor  programmer  access.  We  will 
continue  to  pursue  alternative  means  to  restrict  or  log  programmer  access  to  production 
data. 

Recommendation  #2.  We  recommend  complete  system  documentation  for  system 
development  projects  according  to  department  policy. 

Concur.  The  only  existing  COGS  documentation  is  embedded  within  the  Clipper  code. 
As  COGS  is  modified  for  reporting  or  mandated  function  changes,  that  documentation 
will  be  extracted  for  user  purposes.    The  demands  placed  on  our  limited  staff  by  Year 
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2000,  MET/yPOINTS  and  other  support  activities  prevent  us  from  doing  a  more 
comprehensive  documentation  effort  at  this  time. 

Recommendaton  #3.  We  recommend  the  department  evaluate  and  correct  adjustment 
distribution  errors  on  combined  oil  and  gas  tax  returns  processed  through  COGS  during 
the  three  quarters  ending  June  30,  1997. 

Concur.    As  stated  in  the  report,  we  have  modified  the  system  processing  logic  to 
remove  the  oil  first-gas  second  logic  for  all  returns  entered  into  the  system  for  the 
quarter  ending  September  30,  1997,  and  for  all  future  quarters. 

The  system  modifications  to  correct  any  distribution  errors  have  been  identified  and  the 
appropriate  system  changes  v^/ill  be  made.  Once  implemented,  \Ne  will  correct  any 
monies  which  have  been  distributed  in  error  for  the  three  quarters  mentioned  in  your 
report. 

We  appreciate  the  opportunity  to  respond  and  thank  you  and  your  staff  for  their 
professional  conduct  and  courtesy  on  the  audit. 

Sincerely, 


^PlOUu^  ^^AAjLisn^ 


Mary  Bryson 
Director 
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